Presenting our inaugural privacy heroes and villains awards

Who’s fighting the good fight and who’s using facial recognition technology every chance they get? Drum roll please…

By Nigel Jones

Co Founder of The Privacy Compliance Hub

June 2022

Arm holds red awards cup

The past two years have been nothing but eventful when it comes to privacy news. Covid-19 provided companies with exciting new ways to track personal data – all for the greater good of course. Technology has come on leaps and bounds, with facial recognition technology almost old news, and Amazon selling roaming robot cameras to monitor the visitors to our homes. 

But who has raised the bar on responsibility. And who has pushed privacy to one side as they pursue profits? Presenting the Privacy Compliance Hub’s inaugural heroes and villains awards…

Biggest cock up

So you want to run some staff training around cybersecurity – very sensible. Just make sure you don’t take a leaf out of West Midlands Trains’ book. The company sent 2,500 employees a message from the managing director promising a bonus to thank them for their hard work during the pandemic. The problem was it turned out to be a company-designed phishing simulation test. 

Worst excuse of the year

Everybody’s favourite facial recognition technology company Clearview AI has been in the news a lot over the past year. But after being fined more than £7.5m by the UK’s privacy watchdog – the fourth country to take enforcement action against the firm – Clearview’s chief executive Hoan Ton-That had this to say: “I am deeply disappointed that the UK Information Commissioner has misinterpreted my technology and intentions”. That clears that up then. 

Biggest fine of the year

The UK regulator isn’t the only one handing out fines. Luxembourg’s data protection authority fined Amazon €746m (or £636m) in 2021 for lack of   a lawful basis for collecting and processing personal data for the purposes of targeted advertising. The ensuing fine was 15 times bigger than the previous GDPR record, although Amazon has indicated it will challenge the ruling. 

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

Biggest let-off

Perhaps Amazon will be as lucky as British Airways, which had its fine reduced from £183m to £20m by the ICO after a 2018 cyberattack that breached the personal data of nearly 500,000 customers. The original amount was 1.5% of BA’s annual global turnover in 2017 but the ICO considered the impact of the pandemic on the company, as well as its cooperation with the investigation. Marriott Hotels also benefited from a big reduction in its ICO fine – from £99m to £18.4m. 

Brass-neck award

It’s good to admit it when you’ve made a mistake – and when it comes to data breaches, the GDPR requires such disclosure – but wouldn’t it be nice if everyone could keep quiet about it? 

In 2021, the British fashion retailer FatFace was hacked and an unspecified number of customers had their names, email addresses, addresses and partial payment card details compromised. It took more than two months to tell its affected customers in an email that insisted recipients keep the details “strictly private and confidential”. No can do FatFace. 

Bad neighbour award

Ring security cameras and doorbells have become a veritable treasure trove of footage for police forces all over the world. But a recent court case found they may be being used illegally if they’re positioned in a way that breaches others’ privacy. The devices’ ability to capture conversations at up to 20-metres away was ruled to be excessive, and the judge warned such doorbells would only be legal if they didn’t look onto a neighbour’s property or a public footpath/road.

Worst product

Another Amazon invention that’s raising eyebrows is the Astro robot, with technology reporters scratching their heads about what the device is actually for. While the benefits to users may not be immediately obvious, we can be pretty sure the personal data Astro collects about its owners via its cameras and inbuilt Alexa drove Amazon to release this device. Home monitoring seems to be top of the list, aka an autonomous home security system that can roam from room to room, detect unidentified people, and send alerts when it hears unexpected sounds. But really, it’s another application where facial recognition technology is being normalised. And that’s deeply problematic for privacy.  

The we’ve finally twigged award

One of the world’s biggest tech giants – Apple – is finally putting privacy front and centre. From big advertising campaigns that promote users’ ability to control iPhone app tracking (which led to a big spat with Facebook), to suing the Israeli spyware company NSO Group over alleged iPhone tracking of journalists, activists and foreign government officials, Apple’s commitment to privacy is becoming a real USP. That said, its Airtags are being used to stalk people, so perhaps there’s still some way to go. 

Biggest shock statistic

It’s hard to choose the biggest shock statistic of the past year. Maybe it’s the new study from the Irish Council for Civil Liberties that found UK web users’ data is shared 462 times per day? Or perhaps it’s the 60% of workers who now report being subject to some sort of technological monitoring or surveillance by their employer? Either way, our right to privacy is coming under renewed threat from all sorts of angles and we need to stand up for it. 

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign Up Now

Regulator of the year

Spain’s Data Protection Agency, known as the AEPD, has handed down a whopping 430 fines since the GDPR was introduced in 2018, a total of €55.5m. In comparison, the UK has only issued nine fines, although they do amount to €53.9m. 

Victim of the year

It’s a two-way tie for our victim of the year award. Of course, Elton John had a horrible time after the Cabinet Office disclosed his postal address, as one of the 2020 New Years Honours recipients online — it was later fined £500,000 for the breach. But who could forget the CCTV footage of Matt Hancock and Gina Coladangelo kissing in his Whitehall office, which was subsequently leaked to the newspapers. It would be nice to forget that one… 

The 1984 award

In Scotland, the ICO was forced to step in after nine schools used facial recognition software to speed up the lunch queue, urging them to choose a “less intrusive approach”. Privacy campaigners argued children should be taught to protect highly sensitive, personal biometric data, rather than give it away just so they can pay for their chips a bit quicker. 

Privacy spoilsport of the year

It was a sweet love story that became a pandemic sensation after an American software engineer, John Wardle invented a new daily word game for his partner. After his wider family quickly became obsessed he released it to the world and within two months, more than 300,000 people were playing along, all for free. But in January 2022, the New York Times bought Wordle for a seven-figure sum. And one of the first things they did was add lots of ad trackers. Boo!

Have we missed any out? Who were your top privacy heroes and villains from the 2020s so far? 

And if you work for a business that you feel could be doing more on privacy, take our free GDPR compliance health check to start building your culture of continuous privacy compliance.

More to watch and read